Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Published byBrenton Rossen Modified over 10 years ago

Similar presentations

Presentation on theme: "Multi-Party Contract Signing Sam Hasinoff April 9, 2001."— Presentation transcript:

1 Multi-Party Contract Signing Sam Hasinoff April 9, 2001

2 References Round-optimal and Abuse-free Optimistic Multi-Party Contract Signing (Waidner and Waidner, ICALP 2000) Abuse-free Multi-party Contract Signing (Garay and MacKenzie, DISC 1999)

3 Overview Contract signing Lower bound on number of rounds Contract signing protocol Abuse-freeness

4 Contract Signing Contract – formal agreement on a text between two or more parties –Example: landlord, tenant, sublessor If terms of a contract are broken and need to be enforced, a contract verifier must be able determine the validity of the contract Fairness – either all honest participants obtain a valid contract or no one does

5 Every party decides signed or failed Using a trusted party (T), the problem is easy to solve: –T collects signatures from the parties –If all signatures arrive, it redistributes them, otherwise it aborts the contract T is a bottleneck for trust and performance Optimistic protocol – uses T only if something goes wrong

6 Security Requirements (Fairness) Correctness – if all parties are honest and patient, they all decide signed Verifiability – if an honest party decided signed and the verifier is patient, he will decide signed Unforgeability – if an honest party didnt sign the contract, no verifier decides signed No invalid contracts – if an honest party decided failed, no verifier decides signed Termination – the protocol eventually terminates

7 Model There are n signing parties – P 1,…,P n Up to t < n parties are Byzantine Network is asynchronous and scheduled by the adversary –Messages are reliably delivered, eventually, but with no guarantee on order Signatures are unforgeable –Assumption based on the cryptography

8 Lower bound There must exist a final round in which some party (say P 1 ) sends a message that can be combined with all previous messages to complete the contract Theorem 1 [Garay, MacKenzie, DISC 1999]. Any fair optimistic contract signing protocol for n parties requires at least n rounds (in a run where T is not used).

9 At this point, P 1 must have received messages from the others in previous rounds s.t. it could send a message to T to obtain a complete contract Otherwise, the other parties could use the message from P 1 to complete their contracts, but decide to send nothing further. This would leave P 1 with no contract and violate fairness – a contradiction Specifically, there must be a previous round in which some party (say P 2 ) sends a message to P 1 allowing this

10 This argument generalizes easily Given that a set of participants P 1,…,P i have received messages s.t. any of them could send a message to T and obtain a complete contract regardless of the actions of P i+1,…,P n, there must be a previous round in which some party (say P i+1 ), sends a message to P i that allows this So by a backwards induction, the number of rounds needed is at least n

11 Contract signing protocol Protocol proceeds in t+2 rounds In round 1, each party signs a promise to sign the contract and broadcasts that promise In subsequent rounds, each party collects signatures from the previous round, countersigns this set of n signatures, and broadcasts it The result of the (t+2)-nd round is the real contract

12 Any party who gets tired of waiting can contact T and send it all the messages received so far It then stops sending any messages, and simply waits for an answer from T If T receives its first message in round 1, it must abort and respond with failed If T receives its first message in some later round, it will respond with signed T will only ever change its response (from failed to signed ) if all messages it previously answered with failed came from dishonest parties

13 Detecting dishonesty Since s > 0, we have r > 2, and therefore the message from P i includes the complete set of round-(r-2) messages, countersigned by everybody Thus P k must have participated in round r-1, in order to have countersigned the round-(r-2) messages and sent this as a message to P i So P k was active after having sent its message to T, and hence is dishonest Lemma 1. If T receives a message from P i in round r, and previously answered failed to some other P k in round s < r-1, then P k is dishonest

14 Verification protocol P i shows a signed contract to the verifier V V outputs signed if either the contract consists of either of the following: –(T was contacted and responded signed ) the complete set of n round-(r-1) messages signed by some P j and countersigned by T in round r > 1 –(optimistic termination) the complete set of n round-(t+2) messages Otherwise V outputs failed

15 Security of the protocol Correctness and verifiability are clearly satisfied Unforgeability is true because all variants of a valid contract contain pieces signed by all parties, and we assume the signatures are unforgeable Theorem 2 [Waidner and Waidner, ICALP 2000]. The protocol described is a fair asynchronous multi-party contract signing scheme with a trusted third party T for any t < n. It is optimistic and terminates in t+4 rounds in the worst case.

16 Termination –Each of the t+2 rounds terminates either because all responses from the other parties are received, or T is contacted and eventually answers. In the worst case, T is contacted in the last round, giving t+4 rounds No invalid contracts is shown by contradiction. Assume an honest P i decided failed and an honest verifier V decides signed –Case 1: V has all n round-(r-1) messages signed by some P j and countersigned by T in round r > 1 P j decided signed based on the response received from T in round r, and so for P i to decide failed, it must has received an abort from T in round s <= r But T could not have changed its decision from failed to signed, because it could only do that if all aborted parties (P i is a counterexample) are dishonest – a contradiction

17 No invalid contracts (continued) –Case 2: V has all n round-(t+2) messages To decide failed, P i must have participated in round t+2 but then contacted T and received an abort From the rules of T, and by induction, for all rounds {1,…,t+1}, some party received an abort Then by Lemma 1, those parties who received an abort in rounds {1,…,t} must be dishonest Since there are at most t dishonest parties, the party who received an abort in round t+1 must be honest That party could not have participated in round t+2, so the set n of round-(t+2) messages could not have been complete – a contradiction

18 Round optimality Corollary 1. The number of rounds for the contract signing scheme is O(n).

19 Abuse-freeness Abuse-freeness – at no point can a party prove to an outsider that he has the power to control whether the contract will be signed Example of abuse: –Alice signs a contract (to supply widgets for $10) and faxes it to Bob for him to sign –Bob (abusive) uses his potentially signed contract with Alice to coerce Charlie into offering him a new contract (for $9 widgets) –Bob never signs the contract with Alice

20 Is the protocol abuse-free? The contract signing protocol is not abuse-free! Example (n = 2, P 2 abusive): –both parties send their round-1 messages, but only P 1 sends his round-2 message –P 2 could either ignore the messages from P 1 and send a (round-1) message to T and get the response failed, or use the messages from P 1 and send a (round-3) message to T and get the response signed –the round-3 message that P 2 could send to T will convince an outsider of the power that P 2 has to decide the contract

21 Adding abuse-freeness The basic idea remains the same, but each party generates a fresh, new signature for the execution of the protocol –This is in contrast to their mutually agreed upon, permanent digital signatures The result of an execution of the old protocol with the fresh signatures is called the pre-contract Since an adversary cannot prove that a fresh signature belongs to a certain party, an outsider would not be convinced of the status of the protocol, and hence the protocol is abuse-free

22 However, the pre-contract is also made to contain the contract signed with the parties permanent signatures, but encrypted (with Ts public key) so that only T can decrypt To convert the pre-contract into a real contract, the parties then exchange the original contract signed with the parties permanent signatures, and check that the pre-contract was indeed valid Failing that, T can try to recover by decrypting all the encrypted messages in the pre-contract

23 Final result Theorem 3 [Waidner and Waidner, ICALP 2000]. There is a protocol (as outlined) for asynchronous abuse-free multi-party contract signing with a trusted third party T for any t < n. It is optimistic and terminates in t+6 rounds in the worst case.

Download ppt "Multi-Party Contract Signing Sam Hasinoff April 9, 2001."

Similar presentations

Two absolute bounds for distributed bit complexity Yefim Dinitz, Noam Solomon, 2007 Presented by: Or Peri & Maya Shuster.

Two absolute bounds for distributed bit complexity Yefim Dinitz, Noam Solomon, 2007 Presented by: Or Peri & Maya Shuster.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Chapter 15 Basic Asynchronous Network Algorithms

Chapter 15 Basic Asynchronous Network Algorithms
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
(c) Oded Shmueli 20041 Distributed Recovery, Lecture 7 (BHG, Chap.7)

(c) Oded Shmueli Distributed Recovery, Lecture 7 (BHG, Chap.7)
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.

Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Prepared by Ilya Kolchinsky.  n generals, communicating through messengers  some of the generals (up to m) might be traitors  all loyal generals should.

Prepared by Ilya Kolchinsky.  n generals, communicating through messengers  some of the generals (up to m) might be traitors  all loyal generals should.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Failure Detectors. Can we do anything in asynchronous systems? Reliable broadcast –Process j sends a message m to all processes in the system –Requirement:

Failure Detectors. Can we do anything in asynchronous systems? Reliable broadcast –Process j sends a message m to all processes in the system –Requirement:
1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.

Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.
CPSC 668Set 9: Fault Tolerant Consensus1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.

CPSC 668Set 9: Fault Tolerant Consensus1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.
CPSC 668Set 9: Fault Tolerant Consensus1 CPSC 668 Distributed Algorithms and Systems Spring 2008 Prof. Jennifer Welch.

CPSC 668Set 9: Fault Tolerant Consensus1 CPSC 668 Distributed Algorithms and Systems Spring 2008 Prof. Jennifer Welch.
CPSC 668Set 10: Consensus with Byzantine Failures1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.

CPSC 668Set 10: Consensus with Byzantine Failures1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Randomized Byzantine Agreements (Sam Toueg 1984).

Randomized Byzantine Agreements (Sam Toueg 1984).

Similar presentations

Ads by Google